Threat Research

An AI Based Solution to Detecting the DoubleZero .NET Wiper

Securonix

Unit 42 researchers present a machine learning approach to predicting the maliciousness of .NET samples by analyzing the DoubleZero wiper. The study shows how .NET-specific structures, unmanaged API calls, and plain-text strings can reveal malicious intent beyond traditional PE analysis. #DoubleZeroWiper #ActiveDirectory

Keypoints

  • Unit 42 researchers disclose a machine learning model trained on custom features from both PE and .NET file structures to detect the DoubleZero wiper.
  • DoubleZero is a .NET/C# wiper, heavily obfuscated, capable of gaining high privileges and destroying targeted files quickly.
  • Unlike some other wipers, DoubleZero wipes only the first 4KB of selected files via a file-system operation (FSCTL_SET_ZERO_DATA).
  • The detection approach leverages .NET-specific data (Cor20/CLR header, metadata) in addition to traditional PE features to improve accuracy.
  • Unmanaged API calls through P/Invoke (ntdll.dll, kernel32.dll, etc.) and plain-text target patterns provide strong detection cues.
  • Privilege elevation (SeTakeOwnership, SeBackup, SeRestore, SeShutdown) and LSASS termination are used as part of the wiper’s lifecycle and impact.
  • The article emphasizes that imported libraries, unmanaged API calls, and unencrypted strings are key features for identifying .NET malware.

MITRE Techniques

  • [T1106] Native API – The sample uses unmanaged APIs via P/Invoke such as ntdll.ntopenfile and kernel32 functions to perform actions. ‘The following unmanaged APIs are used in the sample: nt… NtOpenFile’…
  • [T1083] File and Directory Discovery – The regular expression function is used to locate certain files by patterns. ‘The regular expression function imported by System.Text.RegularExpressions is used to locate certain files by patterns.’
  • [T1027] Obfuscated/Compressed Files or Information – The CIL bytecode uses obfuscation to hide string resources and frustrate analysis. ‘The CIL bytecode uses obfuscation to hide the string resources that are critical for pattern based detection.’
  • [T1548] Abuse Elevation Control – Privilege Escalation – The wiper elevates privileges (SeTakeOwnership, SeBackup, SeRestore, SeShutdown) to destroy files and reboot. ‘The following privileges are used to ensure the wiper has the access right to destroy the target file and reboot the system after all the actions are done.’
  • [T1485] Data Destruction – The wiper writes 4K of null bytes to targeted files via FSCTL_SET_ZERO_DATA. ‘This is how the wiper writes 4K of null bytes to a targeted file that was opened by NtOpenFile.’
  • [T1562.001] Impair Defenses: Disable or Modify Security Tools – The wiper terminates security-related processes, notably lsass. ‘kills any process named lsass.’

Indicators of Compromise

  • [Process name] lsass – The wiper kills the lsass process to disrupt security operations.
  • [SHA256] 3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe – Hash of the DoubleZero Wiper sample.
  • [File name] mscoree.dll – Imported library used by the wiper.
  • [File name] _CorExeMain – Entry point from mscoree.dll for executables.

Read more: https://unit42.paloaltonetworks.com/doublezero-net-wiper/